On Sat, 9 Sep 2000, Pekka Savola wrote:
>If your system were to be remotely controllable, if would have to use
>a listening socket. Your netscape-communicator is _not_ a server process,
>so it won't show up there. And as the malicious process could be UDP too,
>I'd include -u in there, ie. -ltu
On Sat, 9 Sep 2000, Harry Putnam wrote:
>Date: Sat, 9 Sep 2000 06:30:54 -0700
>From: Harry Putnam <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Content-Type: text/plain; charset=us-ascii
>Subject: Re: Urgent ! denial of Service Attack
>
>On Sat, Sep 09, 2000 at 05:52
On Sat, 9 Sep 2000, Harry Putnam wrote:
> netstat -antp |grep netscape:
>
> tcp1 0 my.isp.address:1150 64.208.32.100:80
> CLOSE_WAIT 22565/netscape-comm
>
> Where as
> netstat -plut| grep 22565:
> (no hits)
>
> No doubt there is good reason for this but I find netstat -antp
On Sat, Sep 09, 2000 at 05:52:28AM -0400, Mike A. Harris wrote:
> On Thu, 7 Sep 2000, Alvin Starr wrote:
> You can use "netstat -plut" to list listening ports for
> tcp/udp and which pid/process in the system owns it as well..
netstat -plut doesn't list the program using the port or the foreign
a
And possibly you should think about "chatter" on files such as history files and the
like.
Also you may want to consider redirecting all log file messages specified in
/etc/syslog.conf to a remote system
for example:
Replace *.info;mail.none;news.none;authpriv.none
On Thu, 7 Sep 2000, Alvin Starr wrote:
>lsof will show open file descirptors and sockets. that combined with
>netstat -tan will show you what ports are being listened to. you can then
>close them down by killing the approprate services.
You can use "netstat -plut" to list listening ports for
tcp
On Thu, 7 Sep 2000, Matt Fahrner wrote:
>One thing I can't find a good document on is *how* these denial of
>service programs (the binaries) got onto the Linux boxes in the first
>place. Were they installed through the "rpc.statd" hole? Is it IRC
>buffer overflow issue (it doesn't sound like it)?
On Thu, Sep 07, 2000 at 04:19:38PM -0700, kort wrote:
>
> Reinstalling will fix any currently hacked services, but that
> will just require the vandal to re-infect the system.
Not necessarily. Only a complete wipe and re-install will. Otherwise,
you need to use 'lsattr' to make sure that non
On Thu, 7 Sep 2000, Matt Fahrner wrote:
> I do understand that, I wasn't trying to imply anything about anyone's
> responsibility as it's obviously our own to secure our own boxes. What
> I'm trying to find out is if there was one particular hole that was used
> to insert the trojan or, as you su
ent: Thursday, September 07, 2000 7:34 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Urgent ! denial of Service Attack
>
> One thing I can't find a good document on is *how* these denial of
> service programs (the binaries) got onto the Linux boxes in the first
> place. Were th
outwards facing, and any and all security patches.
-Jesse
-Original Message-
From: Matt Fahrner [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 07, 2000 7:34 PM
To: [EMAIL PROTECTED]
Subject: Re: Urgent ! denial of Service Attack
One thing I can't find a good document on is
One thing I can't find a good document on is *how* these denial of
service programs (the binaries) got onto the Linux boxes in the first
place. Were they installed through the "rpc.statd" hole? Is it IRC
buffer overflow issue (it doesn't sound like it)? How did the trojan
horses get onto the syste
> On 7 Sep 2000, Nasir Mahmood wrote:
>
> > 1. How I check which port services are running except through
> > /etc/inetd.conf.
> >
> > 2. How I can kill harmful port addresses to check above attackes.
> >
> > More info: My system is under Danial of Service Attack Service. It is
> > continuously g
On 7 Sep 2000, Nasir Mahmood wrote:
> 1. How I check which port services are running except through
> /etc/inetd.conf.
>
> 2. How I can kill harmful port addresses to check above attackes.
>
> More info: My system is under Danial of Service Attack Service. It is
> continuously generating heavy
14 matches
Mail list logo
